FIDO and Custom Authentication

You can customize the authentication experience for users in the following ways:

Allow FIDO Authentication to a Third-Party Domain

If your company developed an authentication client for FIDO third-party authenticators using the RSA SecurID Authentication API, you can allow FIDO users to access a third-party domain, which is a domain other than securid.com. You are permitted to add one third-party domain. The RSA SecurID Authentication API Developer's Guide describes how to implement a web client for third-party FIDO authenticators.

Before you begin

  • You must be a Super Admin for the Cloud Administration Console.

  • Obtain the value of the FIDO_RP_ID that is used in the FIDO web client from your web client developer.

Procedure

  1. In the Cloud Administration Console:

    • If your company is not enabled for a custom mobile app, click Access > FIDO Authentication.

    • If your company is enabled for a custom mobile app, click Access > Custom Authentication.

  2. In the Host Name (FIDO_RP_ID) field, specify the host name of the host requesting authentication. Use domain name format. For example, abcd.com. This value must exactly match the FIDO_RP_ID in the client program that calls the RSA SecurID Authentication API.

  3. Click Save.

  4. (Optional) Click Publish Changes to activate the settings immediately.

Add a Custom Mobile Authentication App

Your company can develop a custom authentication app for iOS or Android mobile devices based on the SecurID SDK. Users download the custom app and register their devices with the Cloud Authentication Service.

Use this procedure to add the custom app to the Cloud Authentication Service and generate an Application ID. Send the Application ID to your custom app development team.

Note: You must ask RSA to enable this feature for your company. If disabled, configuration settings for the custom mobile app are not displayed.

Device Registration with a Custom App

You can configure My Page for users to register their devices with the custom app, or you can use your own custom self-service portal for registration. For instructions, see Manage My Page.

Each user may use one User ID to register a device with only one app per company account. If the user wants to use a second app, the user must register the device using a different User ID, or delete the first app from the device before registering with the second app, or perform the second registration with a different Company account.

For example, suppose user jsmith@abc.com in Company ABC downloads the custom app and registers a device. Later this user wants to use the Authenticate app. This user can do one of the following:

  • Download the Authenticate app and re-register the same device using a different User ID with Company ABC.

  • Delete the custom app from his device, then download the Authenticate app and re-register the device with Company ABC.

  • Download the Authenticate app and re-register the same device using same User ID but with a different Company account.

Procedure

  1. In the Cloud Administration Console, click Access > Custom Authentication.

  2. In the Name field, specify a friendly name to identify this app.

  3. In the Application ID field, enter a unique identifier between 12 and 255 characters long. Acceptable characters are alphanumeric, underscore (_), hyphen(-), and period (.).

  4. Click Save.

  5. (Optional) Click Publish Changes to activate the configuration immediately.

After you finish

Copy the Application ID and send it to your custom app development team.